[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debsums for maintainer scripts

Manoj Srivastava <srivasta@debian.org> writes:

> On 04 Dec 2003 02:44:31 +0100, Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de> said: 
> > "Bernhard R. Link" <blink@informatik.uni-freiburg.de> writes:
> >> * Manoj Srivastava <srivasta@debian.org> [031203 20:12]:
> >> > 	Before we make such a push, we should at least ensure that it
> >> >  is something we really want to do. I think locally generated
> >> >  checksums are a better solution.
> >>
> >> I don't think so. md5-calculation it not the fastest thing
> >> (especially on non-i386 it often feels like downloading and
> >> installing together needs less time than the md5sum-verification.
> >> So this should be switched off, but then it will be missing when
> >> one needs them.
> > The md5sum file should be generated at build time, signed and only
> > the signature kept. The signature is small enough not to cause
> > bloat, it can be included in the Package file or a Signatures.gz
> > file containing all signatures could be maintained in the archive.
> 	Good, except that now we have no checksum checks for the most
>  critical files on my system -- the ones that tailor all software that
>  runs to my environment. Generating the md5sums on install for atleast
>  the conffiles should still be considered, since the checksums for the
>  conffiles on my system often bear little resemblance to the md5sums
>  for the conffiles shipped with the package.

Thats the job of your lokal intrusion detection system. Providing
something for intrusion detection systems like md5sums after
configuring might be usefull but too often files are edit by hand
afterwards too.

> > When one needs to verify the md5sum files can be generated
> > (dpkg-repack and then generate them) and compared.
> 	Why dpkg-repack?
> __> cat /var/lib/dpkg/info/mailagent.list | while read i; do test -f $i \
>       &&&& md5sum $i; done
> c1188623038c4ae8b0b94b7718ed33d4  /usr/bin/mailpatch
> 448fa9faf25a526231944b5c19d85305  /usr/bin/mailhelp
> 21da2125bd7dd23885b4ae929187b6a4  /usr/bin/maillist
> ffd68a1d6b7e8cc3bf20466fb37ef03d  /usr/bin/maildist
> c709fd09363185e556c64be2c81ff6fb  /usr/bin/package
> 39437a68a2dc5501b3fc37458219fcc8  /usr/bin/edusers
> 66dbd5e38b2c05241b103db274399576  /usr/bin/mailagent
>  ....

Sort that by filename first and you have a reproducible list. You got
the drift.
> > Or the files can be generated at install time and stored
> > too. Intrusion detection systems could use those files then since
> > the signature preventstampering. It would be the users choice.
> 	manoj
> -- 
> Now she speaks rapidly.  "Do you know *why* you want to program?" He
> shakes his head.  He hasn't the faintest idea. "For the sheer *joy* of
> programming!" she cries triumphantly.  "The joy of the parent, the
> artist, the craftsman.  "You take a program, born weak and impotent as
> a dimly-realized solution.  You nurture the program and guide it down
> the right path, building, watching it grow ever stronger.  Sometimes
> you paint with tiny strokes, a keystroke added here, a keystroke
> changed there."  She sweeps her arm in a wide arc.  "And other times
> you savage whole *blocks* of code, ripping out the program's very
> *essence*, then beginning anew.  But always building, creating,
> filling the program with your own personal stamp, your own quirks and
> nuances.  Watching the program grow stronger, patching it when it
> crashes, until finally it can stand alone -- proud, powerful, and
> perfect.  This is the programmer's finest hour!"  Softly at first,
> then louder, he hears the strains of a Sousa march.  "This ... this is
> your canvas! your clay!  Go forth and create a masterwork!"
> Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>



Reply to: